A Model-Constructing Satisfiability CalculusVMCAI 2013

Dejan JovanovićNYU

Leonardo de Moura Microsoft Research

Software analysis/verification tools need some form of symbolic reasoning

Symbolic Reasoning

Logic is “The Calculus of Computer Science”Zohar Manna

Symbolic Reasoning

Undecidable (FOL + LIA)

Semi Decidable (FOL)

NEXPTIME (EPR)

PSPACE (QBF)

NP (SAT)

Practical problems often have structure that can be exploited.

Logic Engines as a Service

𝑆𝑐𝑎𝑙 𝑎𝑍3SAGE

SecGuru

Satisfiability

sat,

unsat, Proof

Is execution path P feasible? Is assertion X violated?

SAGE

Is Formula F Satisfiable?

WITNESS

Solution/Model

The RISE of Model-Based Techniques in SMT

Saturation x Search

Proof-finding Model-finding

Models

Proo

fsConflict

Resolution

SAT

CNF is a set (conjunction) set of clausesClause is a disjunction of literalsLiteral is an atom or the negation of an atom

Two procedures

Resolution DPLLProof-finder Model-finderSaturation Search

Resolution

ImprovementsDelete tautologies Ordered ResolutionSubsumption (delete redundant clauses)

…

unsat

Resolution: Example

Resolution: Example

Resolution: Example

Resolution: Example

Resolution: Example

Resolution: Problem

Exponential time and space

Unit Resolution

subsumes

DPLL

DPLL = Unit Resolution + Split rule

Split rule

𝑆 ,𝑝 𝑆 ,¬𝑝

DPLL𝑥∨ 𝑦 ,¬𝑥∨𝑦 , 𝑥∨¬ 𝑦 ,¬𝑥∨¬ 𝑦

DPLL𝑥∨ 𝑦 ,¬𝑥∨𝑦 , 𝑥∨¬ 𝑦 ,¬𝑥∨¬ 𝑦

DPLL𝑥∨ 𝑦 ,¬𝑥∨𝑦 , 𝑥∨¬ 𝑦 ,¬𝑥∨¬ 𝑦

DPLL𝑥∨ 𝑦 ,¬𝑥∨𝑦 , 𝑥∨¬ 𝑦 ,¬𝑥∨¬ 𝑦

DPLL𝑥∨ 𝑦 ,¬𝑥∨𝑦 , 𝑥∨¬ 𝑦 ,¬𝑥∨¬ 𝑦

DPLL𝑥∨ 𝑦 ,¬𝑥∨𝑦 , 𝑥∨¬ 𝑦 ,¬𝑥∨¬ 𝑦

CDCL: Conflict Driven Clause Learning

Resolution

DPLLConflict

Resolution

Proof

Model

Linear Arithmetic

Fourier-Motzkin SimplexProof-finder Model-finderSaturation Search

Fourier-Motzkin

Very similar to Resolution

Exponential time and space

𝑡1≤𝑎𝑥 ,𝑏𝑥≤ 𝑡 2

𝑏𝑡1≤𝑎𝑏𝑥 ,𝑎𝑏𝑥≤𝑎 𝑡2

𝑏𝑡1≤𝑎𝑡 2

Simplex-based procedure

𝑥≥0 , 𝑥+𝑦 ≤2 ,𝑥+2 𝑦>4𝑠1 𝑠2

are basic (dependent) are non-basic

Simplex-based procedure: Pivoting

Key Property:If an assignment satisfies the equations before a pivoting step, then it will also satisfy them after!

Example:M(x) = 1M(y) = 1M(s1) = 2M(s2) = 3

Simplex: Repairing Models

If the assignment of a non-basic variable does not satisfy a bound, then fix it and propagate the change to all dependent variables.

a = c – db = c + dM(a) = 0M(b) = 0M(c) = 0M(d) = 01 c

a = c – db = c + dM(a) = 1M(b) = 1M(c) = 1M(d) = 01 c

Simplex: Repairing Models

If the assignment of a basic variable does not satisfy a bound, then pivot it, fix it, and propagate the change to its new dependent variables.

a = c – db = c + dM(a) = 0M(b) = 0M(c) = 0M(d) = 01 a

c = a + db = a + 2dM(a) = 0M(b) = 0M(c) = 0M(d) = 01 a

c = a + db = a + 2dM(a) = 1M(b) = 1M(c) = 1M(d) = 01 a

Polynomial Constraints

AKAExistential Theory of the Reals

R

CAD “Big Picture”1. Project/Saturate set of polynomials 2. Lift/Search: Incrementally build assignment

Isolate roots of polynomials Select a feasible cell , and assign some If there is no feasible cell, then backtrack

CAD “Big Picture”𝑥2+ 𝑦2−1<0𝑥 𝑦−1>0 1. Saturate

𝑥4−𝑥2+1

𝑥𝑥2−1

+ + + + + + ++ 0 - - - 0 +- - - 0 + + +

2. Search

CAD “Big Picture”𝒙𝟐+𝒚𝟐−𝟏<0𝒙 𝒚 −𝟏>0 1. Saturate

𝑥4−𝑥2+1

𝑥𝑥2−1

+ + + + + + ++ 0 - - - 0 +- - - 0 + + +

𝒙 −𝟐

+ + ++ 0 -

2. Search

CAD “Big Picture”𝒙𝟐+𝒚𝟐−𝟏<𝟎𝑥 𝑦−1>0 1. Saturate

𝑥4−𝑥2+1

𝑥𝑥2−1

+ + + + + + ++ 0 - - - 0 +- - - 0 + + +

𝒙 −𝟐

+ + ++ 0 -

2. Search

CONFLICT

NLSAT: Model-Based SearchStatic x DynamicOptimistic approachKey ideas

Start the Search before Saturate/ProjectWe saturate on demandModel guides the saturation

Models

Proo

fs

Conflict

Resolution

Experimental Results (1)OUR NEW ENGINE

Experimental Results (2)

OUR NEW ENGINE

Other examples

Delayed Theory Combination[Bruttomesso et al 2006]

Model-Based Theory CombinationX

Other examples

Array Theory byAxiom Instantiation

Lemmas on DemandFor Theory of Array

[Brummayer-Biere 2009]X

Other examples(for linear arithmetic)

Fourier-Motzkin

Generalizing DPLL to richer logics

[McMillan et al 2009]

Conflict Resolution[Korovin et al 2009]

X

Saturation: successful instances

Polynomial time procedures

Gaussian EliminationCongruence Closure

SAT + Theory SolversBasic Idea

x 0, y = x + 1, (y > 2 y < 1)

p1, p2, (p3 p4) p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)

[Audemard et al - 2002], [Barrett et al - 2002], [de Moura et al - 2002]

SAT + Theory SolversBasic Idea

x 0, y = x + 1, (y > 2 y < 1)

p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)

p1, p2, (p3 p4)

SAT Solver

SAT + Theory SolversBasic Idea

x 0, y = x + 1, (y > 2 y < 1)

p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)

p1, p2, (p3 p4)

SAT Solver

Assignmentp1, p2, p3, p4

SAT + Theory SolversBasic Idea

x 0, y = x + 1, (y > 2 y < 1)

p1, p2, (p3 p4)

SAT Solver

Assignmentp1, p2, p3, p4

p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)

x 0, y = x + 1, (y > 2), y < 1

SAT + Theory SolversBasic Idea

x 0, y = x + 1, (y > 2 y < 1)

p1, p2, (p3 p4)

SAT Solver

Assignmentp1, p2, p3, p4

p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)

x 0, y = x + 1, (y > 2), y < 1

TheorySolver

Unsatisfiablex 0, y = x + 1, y <

1

SAT + Theory SolversBasic Idea

x 0, y = x + 1, (y > 2 y < 1)

p1, p2, (p3 p4)

SAT Solver

Assignmentp1, p2, p3, p4

p1 (x 0), p2 (y = x + 1), p3 (y > 2), p4 (y < 1)

x 0, y = x + 1, (y > 2), y < 1

TheorySolver

Unsatisfiablex 0, y = x + 1, y <

1

New Lemmap1p2p4

SAT + Theory Solvers: refinements

IncrementalityEfficient BacktrackingEfficient Lemma GenerationTheory propagation [Ganzinger et all – 2004]

MCSat

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

MCSat

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2

Propagations

MCSat

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2

Propagations

𝑥≥1

MCSat

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2

Propagations

𝑥≥1 𝑦 ≥1

MCSat

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2

Decisions

𝑥≥1 𝑦 ≥1𝑥2+ 𝑦2≤1

MCSat

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2

Model Assignments

𝑥≥1 𝑦 ≥1𝑥2+ 𝑦2≤1𝑥→2

MCSat

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2

Conflict

𝑥≥1 𝑦 ≥1𝑥2+ 𝑦2≤1𝑥→2

We can’t find a value of s.t.

MCSat

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2

Conflict

𝑥≥1 𝑦 ≥1𝑥2+ 𝑦2≤1𝑥→2

We can’t find a value of s.t.

Learning that = 2)is not productive

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2

Conflict

𝑥≥1 𝑦 ≥1𝑥2+ 𝑦2≤1𝑥→2

𝑦

𝑥

𝑥2+ 𝑦2≤1 𝑥→2

−1≤ 𝑥 , 𝑥≤1

¬(𝑥2+ 𝑦2≤1)∨𝑥≤1

MCSat

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2 𝑥≥1 𝑦 ≥1𝑥2+ 𝑦2≤1 𝑥≤1

¬(𝑥2+𝑦2≤1)∨𝑥≤1

MCSat

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2 𝑥≥1 𝑦 ≥1𝑥2+ 𝑦2≤1 𝑥≤1

¬(𝑥2+𝑦2≤1)∨𝑥≤1

Conflict¬ (𝑥≥2 )∨¬(𝑥≤1)

MCSat

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2 𝑥≥1 𝑦 ≥1𝑥2+ 𝑦2≤1

¬(𝑥2+𝑦2≤1)∨𝑥≤1

Learned by resolution¬ (𝑥≥2 )∨¬(𝑥2+𝑦2≤1)

MCSat

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2 𝑥≥1 𝑦 ≥1¬(𝑥2+𝑦2≤1)

¬(𝑥2+𝑦2≤1)∨𝑥≤1¬ (𝑥≥2 )∨¬(𝑥2+𝑦2≤1)

MCSat – Finite BasisEvery theory that admits quantifier elimination has a finite basis (given a fixed assignment order)

𝐹 [𝑥1 ,…,𝑥𝑛 , 𝑦1 , …, 𝑦𝑚]

∃𝑥1 ,…, 𝑥𝑛 :𝐹 [𝑥1 ,…,𝑥𝑛 , 𝑦 ]

𝐶1[𝑦1 ,…, 𝑦𝑚]∧…∧𝐶𝑘[𝑦1 , …, 𝑦𝑚 ]

¬𝐹 [𝑥1 , …,𝑥𝑛 , 𝑦1 ,…, 𝑦𝑚 ]∨𝐶𝑘[𝑦1 , …, 𝑦𝑚]

MCSat – Finite Basis

𝐹 1[𝑥1]

𝐹 2[𝑥1 ,𝑥2]

𝐹 𝑛[𝑥1 ,𝑥2, …, 𝑥𝑛−1 ,𝑥𝑛]

𝐹 𝑛−1[𝑥1 ,𝑥2 , …, 𝑥𝑛−1]…

MCSat – Finite Basis

𝐹 1[𝑥1]

𝐹 2[𝑥1 ,𝑥2]

𝐹 𝑛[𝑥1 ,𝑥2, …, 𝑥𝑛−1 ,𝑥𝑛]

𝐹 𝑛−1[𝑥1 ,𝑥2 , …, 𝑥𝑛−1]…

MCSat – Finite Basis

𝐹 1[𝑥1]

𝐹 2[𝑥1 ,𝑥2]

𝐹 𝑛[𝑥1 ,𝑥2, …, 𝑥𝑛−1 ,𝑥𝑛]

𝐹 𝑛−1[𝑥1 ,𝑥2 , …, 𝑥𝑛−1]…

MCSat – Finite Basis

𝐹 1[𝑥1]

𝐹 2[𝑥1 ,𝑥2]

𝐹 𝑛[𝑥1 ,𝑥2, …, 𝑥𝑛−1 ,𝑥𝑛]

𝐹 𝑛−1[𝑥1 ,𝑥2 , …, 𝑥𝑛−1]…

MCSat – Finite BasisEvery “finite” theory has a finite basis

𝐹 [𝑥1 ,…,𝑥𝑛 , 𝑦1 , …, 𝑦𝑚]

MCSat – Finite BasisTheory of uninterpreted functions has a finite basis

Theory of arrays has a finite basis [Brummayer- Biere 2009]

In both cases the Finite Basis is essentially composed of equalities between existing terms.

MCSat – Finite BasisWe can also use literals from the finite basis in decisions.

Application: simulate branch&bound for bounded linear integer arithmetic

LP solution:

1 2 3 4 5 6𝑥1

123456

0

𝑥2

𝑥1≥1𝑥1≤0

MCSat: Termination

Propagations

Decisions

Model Assignments

MCSat

≻Propagations

Decisions

Model Assignments

MCSat

≻

Propagations

Decisions

Model Assignments

MCSat

¿𝐹𝑖𝑛𝑖𝑡𝑒𝐵𝑎𝑠𝑖𝑠∨¿

…Maximal Elements

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2 𝑥≥1 𝑦 ≥1𝑥2+ 𝑦2≤1 𝑥≤1

¬(𝑥2+𝑦2≤1)∨𝑥≤1Conflict¬ (𝑥≥2 )∨¬(𝑥≤1)

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2 𝑥≥1 𝑦 ≥1𝑥2+ 𝑦2≤1 𝑥≤1

¬(𝑥2+𝑦2≤1)∨𝑥≤1Conflict¬ (𝑥≥2 )∨¬(𝑥≤1)

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2 𝑥≥1 𝑦 ≥1¬(𝑥2+𝑦2≤1)

¬(𝑥2+𝑦2≤1)∨𝑥≤1¬ (𝑥≥2 )∨¬(𝑥2+𝑦2≤1)

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2 𝑥≥1 𝑦 ≥1𝑥2+ 𝑦2≤1 𝑥≤1

¬(𝑥2+𝑦2≤1)∨𝑥≤1Conflict¬ (𝑥≥2 )∨¬(𝑥≤1)

𝑥≥2 , (¬𝑥≥1∨ 𝑦 ≥1 ) ,(𝑥2+ 𝑦2≤1∨𝑥𝑦>1)

𝑥≥2 𝑥≥1 𝑦 ≥1¬(𝑥2+𝑦2≤1)

¬(𝑥2+𝑦2≤1)∨𝑥≤1¬ (𝑥≥2 )∨¬(𝑥2+𝑦2≤1)

𝑥<1∨𝑝 , ¬𝑝∨𝑥=2

𝑥→1

MCSat

𝑥<1∨𝑝 , ¬𝑝∨𝑥=2

𝑥→1

MCSat

𝑝

𝑥<1∨𝑝 , ¬𝑝∨𝑥=2

𝑥→1

MCSat

𝑝

Conflict (evaluates to false)

𝑥<1∨𝑝 , ¬𝑝∨𝑥=2

𝑥→1

MCSat

𝑝

New clause𝑥<1∨𝑥=2

𝑥<1∨𝑝 , ¬𝑝∨𝑥=2

𝑥→1

MCSat

𝑝

New clause𝑥<1∨𝑥=2

𝑥<1

𝑥<1∨𝑝 , ¬𝑝∨𝑥=2

𝑥→1

MCSat

𝑝

New clause𝑥<1∨𝑥=2

𝑥<1

MCSat: Architecture

Arithmetic

Boolean Lists

Arrays

MCSat: development

http://z3.codeplex.com

News: Z3 source code is available

ConclusionLogic as a Service

Model-Based techniques are very promising

http://z3.codeplex.com

http://rise4fun.com/z3py

MCSat